Did you happen to see the article that ran last Monday (May 18) on MIT Technology Review online entitled “Are Your ‘Secret Questions’ Too Easily Answered?” We read this with great interest, mainly because we believe that the proper use of challenge questions as back-up authentication can definitely make your authentication process more robust. HOWEVER, implementing challenge questions without a defined strategy will certainly generate and increase security risks.
Requiring that users resetting passwords answer only a single challenge question — not to mention one that had been selected from the typical short list of generic questions such as “What is your favorite city?” and “What is your favorite sports team?” — makes it just too easy for potential hackers to guess the answer and gain access to sensitive and private information. Such questions have a limited number of possible answers, allowing the guessing game to be that much more easy. Even with more personal yet general questions such as “Where did you go to high school?” or “What is your dog’s name?”, someone with very little knowledge of the user can make a pretty good guess.
That is why, as part of the stronger authentication capabilities we offer our customers, we provide multiple challenge question functionality for password recovery/reset that allows IT security administrators to create 10 questions that users provide answers to at the initial set-up. These questions can be as secure as the administrators want to make them. Then, the administrators can configure whether users are asked to respond to three, five or more randomly selected questions from the list to perform the password reset. For administrators who need assistance creating challenge questions that will not have common answers yet will be easy for users to remember, our professional services team is equipped with ideas.
As Stuart Schechter, the Microsoft researcher quoted in the article points out, “Back-up authentication schemes should have two important characteristics. They should be reliable, allowing a legitimate user to gain access to his or her account, and they should be secure, preventing unauthorized users from gaining access.” Our multiple challenge question functionality possesses both.